16

I have written many APIs in C# and created a "Swagger" documentation website using Swashbuckle.

For Authenticate REST calls I use an API Key in the header.

I created a page that permits to download a specific client for any programming language as documented here: https://generator.swagger.io

I would like to enable the user to generate a client with his own API Key so he does not need to manually set the API Key in the code anymore.

In my Swagger JSON I have this security definition:

"securityDefinitions": {
    "apiKey": {
        "type": "apiKey",
        "description": "API Key Authentication",
        "name": "X-ApiKey",
        "in": "header"
    }
}

In Swagger Client Generator's page I have found this model that permit to set up the clients options but I cannot find how (and if) the API key can be hard coded (or any other kind of authorization) in the client code.

GeneratorInput {
    spec (object, optional),
    options (object, optional),
    swaggerUrl (string, optional),
    authorizationValue (AuthorizationValue, optional),
    securityDefinition (SecuritySchemeDefinition, optional)
}
AuthorizationValue {
    value (string, optional),
    type (string, optional),
    keyName (string, optional)
}
SecuritySchemeDefinition {
    description (string, optional),
    type (string, optional)
}

I suppose I must set AuthorizationValue object but there is no documentation about that (or I can not find it).

It would be sufficient to be able to be able to have the generated client lib add an arbitrary HTTP header to all requests.

In which case we could just have it add:

X-ApiKey:{whatever the key is}

Anyone has an idea ?

Many Thanks!

Stewart_R
  • 13,764
  • 11
  • 60
  • 106
Luca Natali
  • 349
  • 6
  • 17
  • In the past, in a Windows world, I've stored keys in the registry, then manually modified the security on the registry key to only be accessible to the user that is running the scheduled task/process that needs to read it. Then your C# program just reads the registry key, and other people on the machine (without admin access) won't be able to read the key. It's not bullet proof but works in simple cases. – David Thomas Aug 25 '17 at 03:44
  • @DavidThomas Thanks for the suggestion but, honestly (despite the extensive comments!) this isn't a security concern for us (and also I strongly suspect for the OP). The client library will not be shared outside the set of users who would have access to the key anyway... – Stewart_R Aug 29 '17 at 07:20

1 Answers1

1

It seems to work to simply add it as a parameter on each call with a default value - so the JSON would have something like this:

"post": {
                "tags": [ "user" ],
                "summary": "Creates list of users with given input array",
                "description": "",
                "operationId": "createUsersWithListInput",
                "produces": [ "application/xml", "application/json" ],
                "parameters": [
                    {
                        "in": "body",
                        "name": "body",
                        "description": "List of user object",
                        "required": true,
                        "schema": {
                            "type": "array",
                            "items": { "$ref": "#/definitions/User" }
                        }
                    },
                    {
                        "in": "header",
                        "name": "X-ApiKey",
                        "required": false,
                        "type": "string",
                        "format": "string",
                        "default": "abcdef12345"
                    }
                ],
                "responses": { "default": { "description": "successful operation" } }
            }
Mel Clemens
  • 69
  • 6
  • This is a proposed amendment to the swagger definition file? So the API key would be in the swagger definition file itself? The question is more about how to hard code it into the client library generated using the [code generation tool](https://generator.swagger.io/). – Stewart_R Aug 30 '17 at 07:07